Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support forward client cert config XFCC header #3202

Merged
merged 20 commits into from
May 20, 2024
Merged

feat: support forward client cert config XFCC header #3202

merged 20 commits into from
May 20, 2024

Conversation

zufardhiyaulhaq
Copy link
Contributor

What type of PR is this?
configure envoy gateway to propagate XFCC header

What this PR does / why we need it:
this can be used to authorize client based on certificate from XFCC header

Which issue(s) this PR fixes:
#2599

@zufardhiyaulhaq
feat: support forward client cert config XFCC headers
8b806a1 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq zufardhiyaulhaq requested a review from a team as a code owner April 15, 2024 14:21
@zufardhiyaulhaq
feat: add clientCertDetailsConfiguration to configure xfcc header
6d4824c 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
Merge branch 'main' into support-forward-client-details-XFCC
6d14974
@zufardhiyaulhaq
feat: fix sites
819f9cf 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
feat: fix unit tests
cc85e7b 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
feat: move xfcc configuration to tls.clientvalidation & group into 1 …
ca813a4 
…struct

Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
Copy link
Contributor Author

@zhaohuabing @arkodg @guydc moving XFCC configuration to tls.clientvalidation and put mode & XFCC data selection when forwarding into 1 struct.

please help review

@zufardhiyaulhaq
Merge branch 'envoyproxy:main' into support-forward-client-details-XFCC
a380bc7
@zufardhiyaulhaq
feat: fix gen-check
c19d46b 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
feat: fix API removing uniqueItems & trailing space on test data
dc63165 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
arkodg
arkodg reviewed Apr 23, 2024
View reviewed changes
api/v1alpha1/tls_types.go Outdated Show resolved Hide resolved
arkodg
arkodg reviewed Apr 23, 2024
View reviewed changes
api/v1alpha1/tls_types.go Outdated Show resolved Hide resolved
arkodg
arkodg reviewed Apr 23, 2024
View reviewed changes
api/v1alpha1/tls_types.go Outdated Show resolved Hide resolved
arkodg
arkodg reviewed Apr 23, 2024
View reviewed changes
api/v1alpha1/tls_types.go Outdated Show resolved Hide resolved
@arkodg
Copy link
Contributor

arkodg commented May 6, 2024

hey @zufardhiyaulhaq a few comments have been added, with those addressed, this PR should be good be be merged

@zufardhiyaulhaq
Copy link
Contributor Author

Hi @arkodg sorry been of for a while, will work on this.
Thank you!

@zufardhiyaulhaq zufardhiyaulhaq mentioned this pull request May 11, 2024
Open
arkodg
arkodg previously approved these changes May 13, 2024
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks !

@arkodg arkodg requested review from a team May 13, 2024 20:18
@arkodg arkodg self-requested a review May 13, 2024 20:21
@zufardhiyaulhaq
feat: fix logic on xds listener & unit tests
0a20704 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
feat: fix gen-check
c611348 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
feat: fix gen-check
4bba6ca 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
feat: fix lint
562a6b3 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
@zufardhiyaulhaq
Copy link
Contributor Author

@arkodg please help review,
thank you!

shawnh2
shawnh2 reviewed May 20, 2024
View reviewed changes
Copy link
Contributor

@shawnh2 shawnh2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding some comments, basically LGTM

internal/gatewayapi/clienttrafficpolicy.go Outdated Show resolved Hide resolved
api/v1alpha1/clienttrafficpolicy_types.go Show resolved Hide resolved
internal/xds/translator/listener.go Outdated
Comment on lines 795 to 796
if in != nil {
if in.ForwardClientCert != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we merge these conditions? just to simplify the code

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we can merge this, there is possibility that headers is nil.

internal/xds/translator/listener.go Outdated
Comment on lines 815 to 825
if in == nil {
return nil
}

if in.ForwardClientCert == nil {
return nil
}

if len(in.ForwardClientCert.CertDetailsToAdd) == 0 {
return nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we can merge this, there is possibility that headers & forwardclientcert is is nil.

api/v1alpha1/clienttrafficpolicy_types.go
// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
// +kubebuilder:validation:MaxItems=5
// +optional
CertDetailsToAdd []ClientCertData `json:"certDetailsToAdd,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we check the uniqueness of its element?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kubebuilder is not supporting checking unique of this elements

arkodg
arkodg previously approved these changes May 20, 2024
View reviewed changes
Copy link
Contributor

@arkodg arkodg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks for addressing the changes !

@arkodg arkodg self-requested a review May 20, 2024 16:08
@arkodg
Copy link
Contributor

arkodg commented May 20, 2024

@zufardhiyaulhaq can you run make generate again, see some failures in CI

@codecov Codecov
Copy link

codecov bot commented May 20, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 91.48936% with 4 lines in your changes are missing coverage. Please review.

Project coverage is 67.36%. Comparing base (711d545) to head (812d2c8).
Report is 2 commits behind head on main.

Files Patch % Lines
internal/xds/translator/listener.go 89.74% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #3202   +/-   ##
=======================================
  Coverage   67.36%   67.36%           
=======================================
  Files         166      166           
  Lines       19213    19293   +80     
=======================================
+ Hits        12942    12996   +54     
- Misses       5342     5365   +23     
- Partials      929      932    +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zufardhiyaulhaq
fix gen-check job
812d2c8 
Signed-off-by: zufardhiyaulhaq <zufardhiyaulhaq@gmail.com>
zhaohuabing
zhaohuabing reviewed May 20, 2024
View reviewed changes
api/v1alpha1/clienttrafficpolicy_types.go

// Envoy Proxy mode how to handle the x-forwarded-client-cert (XFCC) HTTP header.
// +kubebuilder:validation:Enum=Sanitize;ForwardOnly;AppendForward;SanitizeSet;AlwaysForwardOnly
type ForwardMode string
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ForwardMode might be a bit vague here since it's a package-wide type. Perhaps adding a XFCC prefix could enhance clarity.

Suggested change
type ForwardMode string
type XFCCForwardMode string

zhaohuabing
zhaohuabing reviewed May 20, 2024
View reviewed changes
api/v1alpha1/clienttrafficpolicy_types.go

const (
// Do not send the XFCC header to the next hop. This is the default value.
ForwardModeSanitize ForwardMode = "Sanitize"
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, and the rest of modes.

Suggested change
ForwardModeSanitize ForwardMode = "Sanitize"
XFCCForwardModeSanitize XFCCForwardMode = "Sanitize"

zhaohuabing
zhaohuabing reviewed May 20, 2024
View reviewed changes
api/v1alpha1/clienttrafficpolicy_types.go
// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
// By default, x-forwarded-client-cert (XFCC) will always include By and Hash data
// +kubebuilder:validation:Enum=Subject;Cert;Chain;Dns;Uri
type ClientCertData string
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

Suggested change
type ClientCertData string
type XFCCCertData string

zhaohuabing
zhaohuabing reviewed May 20, 2024
View reviewed changes
api/v1alpha1/clienttrafficpolicy_types.go

const (
// Whether to forward the subject of the client cert.
ClientCertDataSubject ClientCertData = "Subject"
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, and the rest of constants.

Suggested change
ClientCertDataSubject ClientCertData = "Subject"
XFCCCertDataSubject XFCCCertData = "Subject"

zhaohuabing
zhaohuabing reviewed May 20, 2024
View reviewed changes
api/v1alpha1/clienttrafficpolicy_types.go
)

// Specifies the fields in the client certificate to be forwarded on the x-forwarded-client-cert (XFCC) HTTP header
// By default, x-forwarded-client-cert (XFCC) will always include By and Hash data
Copy link
Member

@zhaohuabing zhaohuabing May 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be useful to clarify what is Hash and By in the comment.

zhaohuabing
zhaohuabing approved these changes May 20, 2024
View reviewed changes
Copy link
Member

@zhaohuabing zhaohuabing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's get this in and address the comments in a follow-up PR.

@zhaohuabing zhaohuabing merged commit b99888a into envoyproxy:main May 20, 2024
26 checks passed
@zhaohuabing zhaohuabing mentioned this pull request May 20, 2024
Merged
@arkodg arkodg mentioned this pull request May 21, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shawnh2 shawnh2 shawnh2 left review comments

@zhaohuabing zhaohuabing zhaohuabing approved these changes

@arkodg arkodg arkodg approved these changes

@guydc guydc Awaiting requested review from guydc

@cnvergence cnvergence Awaiting requested review from cnvergence

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@zufardhiyaulhaq @arkodg @zhaohuabing @guydc @cnvergence @shawnh2